The first full year of data on the UK’s authorised push payment (APP) reimbursement requirement is now in, and it's enough to move beyond initial reactions and assess what it has actually changed. The policy was introduced to incentivise payment firms to prevent APP scams from occurring in the first place, while ensuring consumers are reimbursed if they fall victim. On the surface, the early numbers look encouraging, with high reimbursement rates, faster claim resolution, and signs of improved coordination between sending and receiving institutions.
But for fraud operations teams, the more important questions relate to what the scheme reveals about incentives, detection maturity, counterparty accountability, and the structural weaknesses APP fraud continues to exploit. The reimbursement regime goes beyond just consumer protection policy and also functions as a stress test of anti-fraud architecture.
The UK’s reimbursement regime has reshaped the economics of APP fraud. By splitting liability between sending and receiving firms, the framework creates financial accountability on both sides of a transaction.
That materially changes the anti-fraud picture.
Sending institutions must invest more heavily in detecting manipulation and emerging victimisation. Receiving institutions can no longer treat inbound monitoring as secondary; mule account detection now directly affects loss exposure.
This shared accountability pushes fraud teams toward ecosystem thinking. APP fraud depends on infrastructure, particularly intermediary mule accounts that receive, layer, and disperse funds. Under the reimbursement model, weaknesses in counterparty monitoring translate into shared cost.
That creates an incentive to strengthen inbound surveillance, accelerate interbank information exchange, and tighten onboarding scrutiny where mule activity tends to concentrate. But the deeper shift arguably lies in how fraud adapts to perimeter rules.
The reimbursement regime applies to specific payment types, primarily domestic Faster Payments and CHAPS transfers within the UK. It does not cover many crypto transactions, cross-border transfers, or certain business payments. And this is what fraudsters are adapting to.
Where domestic push payments become riskier to execute, funds are increasingly routing through hybrid structures: initial domestic transfers followed by rapid crypto conversion, cross-border layering, or use of fintech platforms outside the scheme’s scope.
This is the second-order risk. Regulation can reduce loss within its perimeter while simultaneously encouraging fraud displacement beyond it.
There is also a behavioural effect inside institutions. With reimbursement largely mandatory and consumer negligence exemptions used sparingly, post-loss debate becomes less commercially useful. The economics now favour prevention over adjudication.
Fraud teams are under pressure to reduce exposure upstream by identifying risky counterparties, detecting aggregation patterns early, and spotting trajectory signals before the authorised payment is initiated. In that sense, the scheme goes beyond reimbursing victims to also force institutions to confront whether their fraud architecture is transaction-focused or infrastructure-aware.
In the scheme's first year, the headline numbers appear positive. The PSR reports that 88% (£173m) of APP losses claimed have been reimbursed. This is a marked increase compared to the 65% reimbursement rate reported in 2024 prior to the scheme’s implementation.
Around 269,000 claims were submitted, with approximately 188,000 falling within scope for reimbursement. Claims volumes were roughly 15% lower than the previous year. Operational responsiveness also improved, with 82% of claims closed within five business days and 98% within 35 business days.
These metrics reflect process maturity as a response to regulatory pressure. Institutions are handling claims more consistently and coordinating more rapidly across the payment chain. Faster information sharing, with 86% of claims reportedly shared between sending and receiving firms within two business hours, suggests that the liability shift has strengthened interbank communication.
But from a fraud prevention perspective, the more important signals lie beneath the surface. Reimbursement rates don’t equate to fraud reduction. An 88% reimbursement rate means fraud still occurred. The system absorbed the cost more efficiently, but monetisation pathways remain active.
Over a third of UK adults report being targeted by APP fraud. Also, recent UK Finance data shows that authorised push payment losses reached £257.5 million in the first half of 2025, which was a 12% increase compared to the same period the previous year. For fraud ops, success should ultimately be measured by disruption upstream.
Typology data highlights structural concentration. Purchase scams account for roughly 72% of APP fraud cases, while investment scams account for a disproportionate share of financial losses, with reported losses in some categories rising sharply year-on-year. This concentration matters.
Purchase scams are often high-volume, lower-ticket events. Investment scams are lower-frequency but high-impact and frequently involve repeated transfers over time. These patterns need different detection postures; one focused on velocity and aggregation, the other on trajectory and behavioural drift.
Origin channel data for scams reinforces the reality that most APP scams begin outside the banking environment. UK Finance reporting indicates that the majority originate on online platforms, with a further share stemming from telecom channels. Banks sit at the monetisation stage rather than the genesis of deception. That doesn’t reduce responsibility, but it clarifies where in the lifecycle intervention becomes feasible.
Taken together, the early results show operational progress and improved victim outcomes. They also confirm that APP fraud remains infrastructure-driven, externally initiated, and concentrated in identifiable patterns.
The current rules primarily apply to authorised transfers between UK bank accounts over Faster Payments and CHAPS. That scope is deliberate, but it also creates clear boundaries. Transactions involving cryptocurrency wallets, certain cross-border transfers, and a range of alternative payment platforms sit outside that protective layer. Where funds move beyond domestic rails or into digital asset ecosystems, reimbursement won’t apply.
As liability tightens within reimbursable flows, fraud networks have a rational incentive to shift monetisation pathways toward channels with weaker recall mechanisms or regulatory coverage. A domestic push payment followed by rapid crypto conversion, or immediate onward transfer to an overseas account, can move funds beyond the scheme’s effective reach. The perimeter protects one segment of the payment ecosystem. Fraud adapts across segments.
In an interesting real-world case, there was a lesson too about the protection businesses get from this law. In Santander UK PLC v CCP Graduate School Ltd, a business victim of APP fraud sought to hold the receiving bank (Santander) legally responsible for the loss.
CCP had been deceived into authorising multiple push payments totalling over £400,000 into a fraudster-controlled account at Santander, and then argued Santander owed it a duty to take reasonable care to prevent its account being used to dissipate those funds. On appeal in March 2025, the High Court rejected that claim and struck it out entirely, holding that a receiving bank does not owe a free-standing duty to a third-party victim with whom it has no contractual relationship, simply because the fraudster’s account happened to be with that institution.
The court emphasised that Santander’s primary obligation was to comply with its own customers’ instructions, and there is no basis in existing law to impose a duty to unwind or restore funds for a non-customer victim. This confirms that outside the formal reimbursement framework that covers micro-enterprises and charities, most business victims may lack legal recourse against institutions that unknowingly facilitate the monetisation stage of APP fraud.
APP fraud runs through a predictable lifecycle, but a bank only ever sees part of it. The deception begins out of view, and stays invisible until the victim moves money. From that point there are two chances to intervene, and they fall to two different banks: the sending bank as the payment leaves, and the receiving bank as it arrives. If neither acts in time, the funds are split across layered accounts and moved on, often within minutes and well before the victim realises, leaving little that can be practically recovered.
Where banks act today
The problem is that the two points where banks typically act are already the closing stages. By then the victim has been manipulated and the receiving account is in place. The better moments come earlier: while a customer's behaviour is drifting under a scammer's influence, and while the receiving infrastructure is being set up. Neither is fully outside a bank's view. The behavioural signals sit in the run-up to the payment, and mule accounts leave detectable traces as they're opened and tested. Acting in that preparation window is the difference between preventing a loss and processing a claim.
Where banks could act earlier
Loss exposure now sits on both sides of the payment flow, which means your fraud posture must extend to the accounts receiving funds as much as those sending them. Monitoring outbound behaviour alone won’t protect you. You need continuous visibility into counterparty risk, inbound aggregation patterns, and emerging mule activity.
Coordination with other institutions goes beyond a compliance exercise. It becomes part of your core control environment. If APP fraud operates across the ecosystem, your detection strategy must do the same.
Most scams are set in motion long before the money moves, so the strongest signals show up in how a customer behaves in the run-up to a payment, not in the payment itself.
The reimbursement model makes post-loss processing less commercially defensible than pre-loss interruption.
On the receiving side, the task is to recognise an account being used to collect and move stolen funds, and to act before the balance is dispersed beyond recovery.
Reducing reimbursement exposure increasingly depends on how quickly you identify and disable receiving infrastructure.
Once funds convert to crypto or cross a border, recovery becomes far harder, so the window that matters is the domestic leg, the moment before money leaves reimbursable rails.
As liability tightens within Faster Payments, fraud pressure may shift toward less protected channels.
The first year of data makes it clear that the APP reimbursement regime improves outcomes for victims. It accelerates claim handling. It strengthens interbank communication.
But it doesn’t remove the underlying conditions that allow APP fraud to thrive; this means real-time payments, external social engineering channels, and monetisation infrastructure built around mule networks and rapid dispersal.
Banks typically encounter these scams at the monetisation stage. That means the decisive leverage points are above just warning customers or processing claims. It’s mostly about identifying and disrupting the infrastructure that absorbs and moves stolen funds.
Reducing exposure calls for continuous visibility into the accounts that receive funds, the networks they connect to, and the behavioural signals that indicate emerging victimisation before a high-value transfer initiates. Fraud teams need to evaluate every event across all channels, not in isolation, but in the context of the accounts involved, both first-party and counterparty.
This is where Acoru’s Account Monitoring Platform aligns with the direction that the regulation is pushing the market towards. By ingesting data from across your organisation, orchestrating signals omnichannel, and continuously classifying accounts as potential victims, mules, or laundering nodes, Acoru surfaces pre-fraud signals before the dots connect. Instead of reacting once a claim is raised, fraud teams gain the ability to identify risky trajectories and monetisation clusters early.
The reimbursement scheme absorbs losses after fraud succeeds. Account-level intelligence reduces the probability that those losses materialise in the first place.